Ido Flatow's Blog - Veni Vidi Scripsi

January 2, 2014

If you are like me, and have tried the not-so-new Windows Azure Active Directory (AD) a couple of months ago, you probably wondered where is the groups management view. If you are like me, you probably googled (or binged) a bit and found the cool MVC sample that manages WAAD’s users and group with the help of the Graph API. If you are like me, you probably tried clicking every button in the Web app to see how it works, only to find out that the app cannot delete users and groups and instead returns an HTTP 403 response with request denied: Insufficient privileges to complete the operation.

If you are like me, you probably googled (or binged) some more (a lot more) and finally found the reason and how to fix it. If so, congratulations, you can skip this post. If you haven’t found how to resolve this yet, keep on reading.

Single Sign-On, Read and Write Directory Data: Single sign-on plus the ability to read and write directory data using the Graph API. This allows querying and writing of company, user, and group information, but does not allow deleting users or groups.

What? Why? How come? WTF?

Step 2 – It’s not my fault, so I’m probably not the only one. Searching for other misfortunate people like me resulted in this forum thread:

The last cmdlet will add your AD application to the ‘User Account Administrator’ role, granting it permissions to delete both users and groups. Replace the YOUR_OBJECT_ID with the object id you found previously.

And that’s it! return to the cool MVC demo, try to delete a user or a group, and watch it work!